Protecting Data from Organized Crimeware

Attacks, whether from internal or external sources, are
nothing new. However, there have been many reports (from Panda Security,
PricewaterhouseCoopers and M86 Security, for example) over the past year or so
indicating that the state of the economy is to blame for the recent increase in
computer crime, as it gives malicious parties more motivation to steal. It's as
hard to argue with this common-sense argument as it is to figure out why these
companies think this is innovative research. (Come on, people. Is it really
noteworthy that when times are tough more people steal? Ask Jean Valjean if
this is something new.)
New or not, data theft is getting more and more attention
from c-level executives. The PricewaterhouseCoopers report mentioned earlier
also stated that "protecting data elements is now a top priority at-arguably-the
most critical time." The proportion of surveyed organizations reporting
that they have a DLP
strategy in place has increased from 29 percent in 2008 to 44 percent in 2009. Many
survey respondents indicated that "their organization continuously
prioritizes data and information security assets according to their risk level."

Today's information security battle is about money. International
crime syndicates rent time on botnets and later help low-level criminals
launder money stolen by banking Trojans such as the Zeus and Silentbanker
families. It used to take a skilled programmer to indulge in cyber-crime, but
now even script kiddies can cash in as exploit kits built on Mpack and Gpack
are widely available for download. Most kits come with a warranty, technical
support and software version updates. The malware battle has spun so far out of
control that, as M86 Security mentioned in its April report, "Web
Exploits: There's an App for That," we're starting to see the evolution of
an international service economy in which some are beginning to offer "crimeware
as a service."

This obviously puts malware at the top of the list of
security concerns for everyone, from consumers to CISOs. In the past year, we've seen a
dramatic increase in the number of variants of a single exploit (relegating
signature-based anti-malware to the graveyard) and in the percentage of
legitimate Websites that were exploited and used to plant malware on unsuspecting
visitors (relegating Web content filtering solutions that rely on domain as the
unit of analysis to a shallow grave next to signature-based anti-malware). Targeted
attacks are also on the rise. McAfee, in its "2010 Threat Predictions"
report from December 2009, described the widespread problem and delved into the
example of GhostNet, "a network of at least 1,295 compromised computers in
103 countries."
Patching systems to update software has become a critical
function in many enterprises. In 2009, just about everyone (Symantec, McAfee, IBM
Internet Security Systems ...) reported a rise in the number of attacks against
applications. McAfee noted, "The favorite vector among attackers is Adobe [Systems]
products, primarily Flash and Acrobat Reader." Security researchers find
that many of the most common exploits are of vulnerabilities that were
announced and patched five or more years ago. This threat could be mitigated
simply by patching on a regular basis. However, patching is tedious and time-consuming.

Matthew D. Sarrel, CISSP, is a network security,product development, and technical marketingconsultant based in New York City. He is also a gamereviewer and technical writer. To read his opinions on games please browse http://games.mattsarrel.com and for more general information on Matt, please see http://www.mattsarrel.com.